{
    "cells": [
        {
            "cell_type": "markdown",
            "metadata": {
                "toc": true
            },
            "source": [
                "<h1>Table of Contents<span class=\"tocSkip\"></span></h1>\n",
                "<div class=\"toc\"><ul class=\"toc-item\"><li><span><a href=\"#Azure-Sentinel-API-Calls\" data-toc-modified-id=\"Azure-Sentinel-API-Calls-1\">Azure Sentinel API Calls</a></span><ul class=\"toc-item\"><li><ul class=\"toc-item\"><li><span><a href=\"#Description\" data-toc-modified-id=\"Description-1.0.1\">Description</a></span></li><li><span><a href=\"#Installation-and-imports\" data-toc-modified-id=\"Installation-and-imports-1.0.2\">Installation and imports</a></span></li><li><span><a href=\"#Authentication\" data-toc-modified-id=\"Authentication-1.0.3\">Authentication</a></span></li></ul></li></ul></li></ul></div>"
            ]
        },
        {
            "cell_type": "markdown",
            "metadata": {},
            "source": [
                "# Azure Sentinel API Calls\n",
                "\n",
                "MSTICpy versions > 0.8.5\n",
                "\n",
                "### Description\n",
                "\n",
                "This Notebook provides an example of using the Azure Sentinel API features of MSTICpy in order retrieve specific data from Azure Sentinel\n",
                "\n",
                "### Installation and imports"
            ]
        },
        {
            "cell_type": "code",
            "execution_count": null,
            "metadata": {},
            "outputs": [],
            "source": [
                "# %pip install --upgrade msticpy[azsentinel]"
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 1,
            "metadata": {
                "ExecuteTime": {
                    "end_time": "2020-10-28T00:46:14.769939Z",
                    "start_time": "2020-10-28T00:46:12.006888Z"
                }
            },
            "outputs": [],
            "source": [
                "from msticpy.context.azure.sentinel_core import MicrosoftSentinel\n",
                "import msticpy.nbwidgets as widgets\n",
                "from msticpy.data import data_obfus as mask"
            ]
        },
        {
            "cell_type": "markdown",
            "metadata": {},
            "source": [
                "### Authentication\n",
                "The first step to be able to use the features is to call the AzureSentinel class and connect to it. Authentication uses the standardized Azure authentication options of using environment variables, Azure CLI credentials, Managed Identities, and interactive logons."
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 2,
            "metadata": {
                "ExecuteTime": {
                    "end_time": "2020-10-28T00:46:21.283503Z",
                    "start_time": "2020-10-28T00:46:16.357954Z"
                }
            },
            "outputs": [
                {
                    "name": "stdout",
                    "output_type": "stream",
                    "text": [
                        "Attempting to sign-in with environment variable credentials...\n"
                    ]
                }
            ],
            "source": [
                "azs = MicrosoftSentinel()\n",
                "azs.connect()"
            ]
        },
        {
            "cell_type": "markdown",
            "metadata": {},
            "source": [
                "Once connected we need to select an Azure Sentinel workspace to get details from. The easies way to do this is with the get_subscriptions() and get_sentinel_workspaces() functions to select the subscription and workspace you with to connect to. If you already know which workspace you wish to connect to you can skip straight to the other functions and enter these details."
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 3,
            "metadata": {
                "ExecuteTime": {
                    "end_time": "2020-10-28T01:39:48.623598Z",
                    "start_time": "2020-10-28T01:39:48.258598Z"
                }
            },
            "outputs": [
                {
                    "name": "stdout",
                    "output_type": "stream",
                    "text": [
                        "Attempting to sign-in with environment variable credentials...\n",
                        "obfuscating columns:\n",
                        "Display Name, \n",
                        "done\n",
                        "Select a subscription:\n"
                    ]
                },
                {
                    "data": {
                        "application/vnd.jupyter.widget-view+json": {
                            "model_id": "830b967ed650424692fa54a55234a9a9",
                            "version_major": 2,
                            "version_minor": 0
                        },
                        "text/plain": [
                            "VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…"
                        ]
                    },
                    "metadata": {},
                    "output_type": "display_data"
                },
                {
                    "data": {
                        "text/html": [
                            "<hr>"
                        ],
                        "text/plain": [
                            "<IPython.core.display.HTML object>"
                        ]
                    },
                    "metadata": {},
                    "output_type": "display_data"
                }
            ],
            "source": [
                "# Query for our subscriptions\n",
                "subs = azs.get_subscriptions()\n",
                "subs = subs.mp_obf.obfuscate(column_map={\"Display Name\": \"str\"})\n",
                "\n",
                "# Display subscriptions (masked names) in a pick list\n",
                "print(\"Select a subscription:\")\n",
                "sub = widgets.SelectItem(\n",
                "    item_list=subs['Display Name'].to_list(),\n",
                "    auto_display=True\n",
                ")"
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 4,
            "metadata": {
                "ExecuteTime": {
                    "end_time": "2020-10-28T01:44:53.170848Z",
                    "start_time": "2020-10-28T01:44:47.548676Z"
                }
            },
            "outputs": [
                {
                    "name": "stdout",
                    "output_type": "stream",
                    "text": [
                        "Finding Azure Sentinel Workspaces...\n",
                        "Attempting to sign-in with environment variable credentials...\n",
                        "Select an Azure Sentinel Workspace:\n"
                    ]
                },
                {
                    "data": {
                        "application/vnd.jupyter.widget-view+json": {
                            "model_id": "c24a0d08d4614340907a64b1039eadf6",
                            "version_major": 2,
                            "version_minor": 0
                        },
                        "text/plain": [
                            "VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…"
                        ]
                    },
                    "metadata": {},
                    "output_type": "display_data"
                },
                {
                    "data": {
                        "text/html": [
                            "<hr>"
                        ],
                        "text/plain": [
                            "<IPython.core.display.HTML object>"
                        ]
                    },
                    "metadata": {},
                    "output_type": "display_data"
                }
            ],
            "source": [
                "# Get the subscription ID\n",
                "sub_id = subs[subs['Display Name'] == sub.value].iloc[0]['Subscription ID']\n",
                "# Query for workspaces in that subscription\n",
                "workspaces = azs.get_sentinel_workspaces(sub_id = sub_id)\n",
                "# Display workspaces in a list\n",
                "print(\"Select an Azure Sentinel Workspace:\")\n",
                "ws = widgets.SelectItem(\n",
                "    item_dict=workspaces,\n",
                "    auto_display=True\n",
                ")"
            ]
        },
        {
            "cell_type": "markdown",
            "metadata": {},
            "source": [
                "Now that we have selected our workspace we can call various functions to get details about content in the workspace. These are typically returned as DataFrames. Below we get a list of hunting queries configured in our workspace."
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 5,
            "metadata": {
                "ExecuteTime": {
                    "end_time": "2020-10-28T01:45:10.962506Z",
                    "start_time": "2020-10-28T01:45:09.792474Z"
                }
            },
            "outputs": [
                {
                    "data": {
                        "text/html": [
                            "<div>\n",
                            "<style scoped>\n",
                            "    .dataframe tbody tr th:only-of-type {\n",
                            "        vertical-align: middle;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe tbody tr th {\n",
                            "        vertical-align: top;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe thead th {\n",
                            "        text-align: right;\n",
                            "    }\n",
                            "</style>\n",
                            "<table border=\"1\" class=\"dataframe\">\n",
                            "  <thead>\n",
                            "    <tr style=\"text-align: right;\">\n",
                            "      <th></th>\n",
                            "      <th>type</th>\n",
                            "      <th>properties.Category</th>\n",
                            "      <th>properties.DisplayName</th>\n",
                            "      <th>properties.Query</th>\n",
                            "      <th>properties.Version</th>\n",
                            "      <th>properties.Tags</th>\n",
                            "      <th>properties.FunctionAlias</th>\n",
                            "      <th>properties.FunctionParameters</th>\n",
                            "    </tr>\n",
                            "  </thead>\n",
                            "  <tbody>\n",
                            "    <tr>\n",
                            "      <th>2</th>\n",
                            "      <td>Microsoft.OperationalInsights/savedSearches</td>\n",
                            "      <td>Hunting Queries</td>\n",
                            "      <td>Powershell</td>\n",
                            "      <td>SecurityEvent\\r\\n| where ParentProcessName con...</td>\n",
                            "      <td>2</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>5</th>\n",
                            "      <td>Microsoft.OperationalInsights/savedSearches</td>\n",
                            "      <td>Hunting Queries</td>\n",
                            "      <td>Anomalous AAD Account Creation</td>\n",
                            "      <td>\\nBehaviorAnalytics\\n| where ActionType == \"Ad...</td>\n",
                            "      <td>2</td>\n",
                            "      <td>[{'Name': 'description', 'Value': ''}, {'Name'...</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>7</th>\n",
                            "      <td>Microsoft.OperationalInsights/savedSearches</td>\n",
                            "      <td>Hunting Queries</td>\n",
                            "      <td>Entropy for Processes for a given Host</td>\n",
                            "      <td>\\n// May need to reduce the number of days if ...</td>\n",
                            "      <td>2</td>\n",
                            "      <td>[{'Name': 'description', 'Value': ''}, {'Name'...</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>9</th>\n",
                            "      <td>Microsoft.OperationalInsights/savedSearches</td>\n",
                            "      <td>Hunting Queries</td>\n",
                            "      <td>RareDNSLookupWithDataTransfer</td>\n",
                            "      <td>\\nlet lookbackint = 7;\\nlet lookupThreshold = ...</td>\n",
                            "      <td>2</td>\n",
                            "      <td>[{'Name': 'description', 'Value': ''}, {'Name'...</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>12</th>\n",
                            "      <td>Microsoft.OperationalInsights/savedSearches</td>\n",
                            "      <td>Hunting Queries</td>\n",
                            "      <td>Least Common Processes by Command Line</td>\n",
                            "      <td>\\nlet Allowlist = dynamic (['foo.exe', 'baz.ex...</td>\n",
                            "      <td>2</td>\n",
                            "      <td>[{'Name': 'description', 'Value': ''}, {'Name'...</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "  </tbody>\n",
                            "</table>\n",
                            "</div>"
                        ],
                        "text/plain": [
                            "                                           type properties.Category  \\\n",
                            "2   Microsoft.OperationalInsights/savedSearches     Hunting Queries   \n",
                            "5   Microsoft.OperationalInsights/savedSearches     Hunting Queries   \n",
                            "7   Microsoft.OperationalInsights/savedSearches     Hunting Queries   \n",
                            "9   Microsoft.OperationalInsights/savedSearches     Hunting Queries   \n",
                            "12  Microsoft.OperationalInsights/savedSearches     Hunting Queries   \n",
                            "\n",
                            "                    properties.DisplayName  \\\n",
                            "2                               Powershell   \n",
                            "5           Anomalous AAD Account Creation   \n",
                            "7   Entropy for Processes for a given Host   \n",
                            "9            RareDNSLookupWithDataTransfer   \n",
                            "12  Least Common Processes by Command Line   \n",
                            "\n",
                            "                                     properties.Query  properties.Version  \\\n",
                            "2   SecurityEvent\\r\\n| where ParentProcessName con...                   2   \n",
                            "5   \\nBehaviorAnalytics\\n| where ActionType == \"Ad...                   2   \n",
                            "7   \\n// May need to reduce the number of days if ...                   2   \n",
                            "9   \\nlet lookbackint = 7;\\nlet lookupThreshold = ...                   2   \n",
                            "12  \\nlet Allowlist = dynamic (['foo.exe', 'baz.ex...                   2   \n",
                            "\n",
                            "                                      properties.Tags  \\\n",
                            "2                                                 NaN   \n",
                            "5   [{'Name': 'description', 'Value': ''}, {'Name'...   \n",
                            "7   [{'Name': 'description', 'Value': ''}, {'Name'...   \n",
                            "9   [{'Name': 'description', 'Value': ''}, {'Name'...   \n",
                            "12  [{'Name': 'description', 'Value': ''}, {'Name'...   \n",
                            "\n",
                            "   properties.FunctionAlias properties.FunctionParameters  \n",
                            "2                       NaN                           NaN  \n",
                            "5                       NaN                           NaN  \n",
                            "7                       NaN                           NaN  \n",
                            "9                       NaN                           NaN  \n",
                            "12                      NaN                           NaN  "
                        ]
                    },
                    "execution_count": 5,
                    "metadata": {},
                    "output_type": "execute_result"
                }
            ],
            "source": [
                "queries = azs.get_hunting_queries(ws.value)\n",
                "queries.head().drop(columns=[\"id\", \"etag\", \"name\"])"
            ]
        },
        {
            "cell_type": "markdown",
            "metadata": {},
            "source": [
                "Hunting queries return the raw queries associated with them, this allows us to pass the query directly to a QueryProvider in order to get the results of the hunting query within the notebook."
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 13,
            "metadata": {
                "ExecuteTime": {
                    "end_time": "2020-10-28T00:52:19.961283Z",
                    "start_time": "2020-10-28T00:52:16.730666Z"
                }
            },
            "outputs": [
                {
                    "data": {
                        "application/javascript": "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}",
                        "text/plain": [
                            "<IPython.core.display.Javascript object>"
                        ]
                    },
                    "metadata": {},
                    "output_type": "display_data"
                },
                {
                    "data": {
                        "application/javascript": "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}",
                        "text/plain": [
                            "<IPython.core.display.Javascript object>"
                        ]
                    },
                    "metadata": {},
                    "output_type": "display_data"
                },
                {
                    "data": {
                        "application/javascript": "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}",
                        "text/plain": [
                            "<IPython.core.display.Javascript object>"
                        ]
                    },
                    "metadata": {},
                    "output_type": "display_data"
                },
                {
                    "data": {
                        "text/html": [
                            "<div>\n",
                            "<style scoped>\n",
                            "    .dataframe tbody tr th:only-of-type {\n",
                            "        vertical-align: middle;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe tbody tr th {\n",
                            "        vertical-align: top;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe thead th {\n",
                            "        text-align: right;\n",
                            "    }\n",
                            "</style>\n",
                            "<table border=\"1\" class=\"dataframe\">\n",
                            "  <thead>\n",
                            "    <tr style=\"text-align: right;\">\n",
                            "      <th></th>\n",
                            "      <th>TimeGenerated</th>\n",
                            "      <th>EventID</th>\n",
                            "      <th>Computer</th>\n",
                            "      <th>SubjectUserSid</th>\n",
                            "      <th>Account</th>\n",
                            "      <th>Weight</th>\n",
                            "      <th>AdjustedProcessEntropy</th>\n",
                            "      <th>FullDecimalProcessEntropy</th>\n",
                            "      <th>Process</th>\n",
                            "      <th>NewProcessName</th>\n",
                            "      <th>CommandLine</th>\n",
                            "      <th>ParentProcessName</th>\n",
                            "      <th>TotalProcessCountOnHost</th>\n",
                            "      <th>ProcessCountOnHost</th>\n",
                            "      <th>DistinctComputersWithProcessCount</th>\n",
                            "      <th>timestamp</th>\n",
                            "      <th>HostCustomEntity</th>\n",
                            "      <th>AccountCustomEntity</th>\n",
                            "    </tr>\n",
                            "  </thead>\n",
                            "  <tbody>\n",
                            "    <tr>\n",
                            "      <th>0</th>\n",
                            "      <td>2020-11-21 21:18:51.317000+00:00</td>\n",
                            "      <td>4688</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>S-1-5-18</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>0.001074</td>\n",
                            "      <td>Defrag.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\Defrag.exe</td>\n",
                            "      <td>C:\\windows\\system32\\defrag.exe -c -h -k -g -$</td>\n",
                            "      <td>C:\\Windows\\System32\\svchost.exe</td>\n",
                            "      <td>12688</td>\n",
                            "      <td>1</td>\n",
                            "      <td>1</td>\n",
                            "      <td>2020-11-21 21:18:51.317000+00:00</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>1</th>\n",
                            "      <td>2020-11-23 01:31:49.930000+00:00</td>\n",
                            "      <td>4688</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>S-1-5-18</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>0.001074</td>\n",
                            "      <td>SppExtComObj.Exe</td>\n",
                            "      <td>C:\\Windows\\System32\\SppExtComObj.Exe</td>\n",
                            "      <td>C:\\windows\\system32\\SppExtComObj.exe -Embedding</td>\n",
                            "      <td>C:\\Windows\\System32\\svchost.exe</td>\n",
                            "      <td>12688</td>\n",
                            "      <td>1</td>\n",
                            "      <td>1</td>\n",
                            "      <td>2020-11-23 01:31:49.930000+00:00</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>2</th>\n",
                            "      <td>2020-11-20 17:18:36.960000+00:00</td>\n",
                            "      <td>4688</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>S-1-5-18</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>0.001074</td>\n",
                            "      <td>makecab.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\makecab.exe</td>\n",
                            "      <td>\"C:\\windows\\system32\\makecab.exe\" C:\\windows\\L...</td>\n",
                            "      <td>C:\\Windows\\WinSxS\\amd64_microsoft-windows-serv...</td>\n",
                            "      <td>12688</td>\n",
                            "      <td>1</td>\n",
                            "      <td>1</td>\n",
                            "      <td>2020-11-20 17:18:36.960000+00:00</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>3</th>\n",
                            "      <td>2020-11-21 21:18:51.303000+00:00</td>\n",
                            "      <td>4688</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>S-1-5-18</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>0.001074</td>\n",
                            "      <td>rundll32.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\rundll32.exe</td>\n",
                            "      <td>C:\\windows\\system32\\rundll32.exe Windows.Stora...</td>\n",
                            "      <td>C:\\Windows\\System32\\svchost.exe</td>\n",
                            "      <td>12688</td>\n",
                            "      <td>1</td>\n",
                            "      <td>1</td>\n",
                            "      <td>2020-11-21 21:18:51.303000+00:00</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>4</th>\n",
                            "      <td>2020-11-21 21:18:51.310000+00:00</td>\n",
                            "      <td>4688</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>S-1-5-18</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>10.743361</td>\n",
                            "      <td>0.001074</td>\n",
                            "      <td>tzsync.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\tzsync.exe</td>\n",
                            "      <td>C:\\windows\\system32\\tzsync.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\svchost.exe</td>\n",
                            "      <td>12688</td>\n",
                            "      <td>1</td>\n",
                            "      <td>1</td>\n",
                            "      <td>2020-11-21 21:18:51.310000+00:00</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>5</th>\n",
                            "      <td>2020-11-18 01:18:36.913000+00:00</td>\n",
                            "      <td>4688</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>S-1-5-18</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "      <td>39.820861</td>\n",
                            "      <td>19.910430</td>\n",
                            "      <td>0.001991</td>\n",
                            "      <td>lpremove.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\lpremove.exe</td>\n",
                            "      <td>C:\\windows\\system32\\lpremove.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\svchost.exe</td>\n",
                            "      <td>12688</td>\n",
                            "      <td>2</td>\n",
                            "      <td>1</td>\n",
                            "      <td>2020-11-18 01:18:36.913000+00:00</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>6</th>\n",
                            "      <td>2020-11-21 03:18:49.223000+00:00</td>\n",
                            "      <td>4688</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>S-1-5-18</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "      <td>39.820861</td>\n",
                            "      <td>19.910430</td>\n",
                            "      <td>0.001991</td>\n",
                            "      <td>lpremove.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\lpremove.exe</td>\n",
                            "      <td>C:\\windows\\system32\\lpremove.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\svchost.exe</td>\n",
                            "      <td>12688</td>\n",
                            "      <td>2</td>\n",
                            "      <td>1</td>\n",
                            "      <td>2020-11-21 03:18:49.223000+00:00</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>7</th>\n",
                            "      <td>2020-11-23 01:31:49.957000+00:00</td>\n",
                            "      <td>4688</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>S-1-5-20</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "      <td>39.820861</td>\n",
                            "      <td>19.910430</td>\n",
                            "      <td>0.001991</td>\n",
                            "      <td>slui.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\slui.exe</td>\n",
                            "      <td>\"C:\\windows\\System32\\SLUI.exe\" RuleId=502ff3ba...</td>\n",
                            "      <td>C:\\Windows\\System32\\SppExtComObj.Exe</td>\n",
                            "      <td>12688</td>\n",
                            "      <td>2</td>\n",
                            "      <td>1</td>\n",
                            "      <td>2020-11-23 01:31:49.957000+00:00</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>8</th>\n",
                            "      <td>2020-11-23 01:31:54.340000+00:00</td>\n",
                            "      <td>4688</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>S-1-5-20</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "      <td>39.820861</td>\n",
                            "      <td>19.910430</td>\n",
                            "      <td>0.001991</td>\n",
                            "      <td>slui.exe</td>\n",
                            "      <td>C:\\Windows\\System32\\slui.exe</td>\n",
                            "      <td>\"C:\\windows\\System32\\SLUI.exe\" RuleId=379cccfb...</td>\n",
                            "      <td>C:\\Windows\\System32\\SppExtComObj.Exe</td>\n",
                            "      <td>12688</td>\n",
                            "      <td>2</td>\n",
                            "      <td>1</td>\n",
                            "      <td>2020-11-23 01:31:54.340000+00:00</td>\n",
                            "      <td>WinAttackSim</td>\n",
                            "      <td>WORKGROUP\\WinAttackSim$</td>\n",
                            "    </tr>\n",
                            "  </tbody>\n",
                            "</table>\n",
                            "</div>"
                        ],
                        "text/plain": [
                            "                     TimeGenerated  EventID      Computer SubjectUserSid  \\\n",
                            "0 2020-11-21 21:18:51.317000+00:00     4688  WinAttackSim       S-1-5-18   \n",
                            "1 2020-11-23 01:31:49.930000+00:00     4688  WinAttackSim       S-1-5-18   \n",
                            "2 2020-11-20 17:18:36.960000+00:00     4688  WinAttackSim       S-1-5-18   \n",
                            "3 2020-11-21 21:18:51.303000+00:00     4688  WinAttackSim       S-1-5-18   \n",
                            "4 2020-11-21 21:18:51.310000+00:00     4688  WinAttackSim       S-1-5-18   \n",
                            "5 2020-11-18 01:18:36.913000+00:00     4688  WinAttackSim       S-1-5-18   \n",
                            "6 2020-11-21 03:18:49.223000+00:00     4688  WinAttackSim       S-1-5-18   \n",
                            "7 2020-11-23 01:31:49.957000+00:00     4688  WinAttackSim       S-1-5-20   \n",
                            "8 2020-11-23 01:31:54.340000+00:00     4688  WinAttackSim       S-1-5-20   \n",
                            "\n",
                            "                   Account     Weight  AdjustedProcessEntropy  \\\n",
                            "0  WORKGROUP\\WinAttackSim$  10.743361               10.743361   \n",
                            "1  WORKGROUP\\WinAttackSim$  10.743361               10.743361   \n",
                            "2  WORKGROUP\\WinAttackSim$  10.743361               10.743361   \n",
                            "3  WORKGROUP\\WinAttackSim$  10.743361               10.743361   \n",
                            "4  WORKGROUP\\WinAttackSim$  10.743361               10.743361   \n",
                            "5  WORKGROUP\\WinAttackSim$  39.820861               19.910430   \n",
                            "6  WORKGROUP\\WinAttackSim$  39.820861               19.910430   \n",
                            "7  WORKGROUP\\WinAttackSim$  39.820861               19.910430   \n",
                            "8  WORKGROUP\\WinAttackSim$  39.820861               19.910430   \n",
                            "\n",
                            "   FullDecimalProcessEntropy           Process  \\\n",
                            "0                   0.001074        Defrag.exe   \n",
                            "1                   0.001074  SppExtComObj.Exe   \n",
                            "2                   0.001074       makecab.exe   \n",
                            "3                   0.001074      rundll32.exe   \n",
                            "4                   0.001074        tzsync.exe   \n",
                            "5                   0.001991      lpremove.exe   \n",
                            "6                   0.001991      lpremove.exe   \n",
                            "7                   0.001991          slui.exe   \n",
                            "8                   0.001991          slui.exe   \n",
                            "\n",
                            "                         NewProcessName  \\\n",
                            "0        C:\\Windows\\System32\\Defrag.exe   \n",
                            "1  C:\\Windows\\System32\\SppExtComObj.Exe   \n",
                            "2       C:\\Windows\\System32\\makecab.exe   \n",
                            "3      C:\\Windows\\System32\\rundll32.exe   \n",
                            "4        C:\\Windows\\System32\\tzsync.exe   \n",
                            "5      C:\\Windows\\System32\\lpremove.exe   \n",
                            "6      C:\\Windows\\System32\\lpremove.exe   \n",
                            "7          C:\\Windows\\System32\\slui.exe   \n",
                            "8          C:\\Windows\\System32\\slui.exe   \n",
                            "\n",
                            "                                         CommandLine  \\\n",
                            "0      C:\\windows\\system32\\defrag.exe -c -h -k -g -$   \n",
                            "1    C:\\windows\\system32\\SppExtComObj.exe -Embedding   \n",
                            "2  \"C:\\windows\\system32\\makecab.exe\" C:\\windows\\L...   \n",
                            "3  C:\\windows\\system32\\rundll32.exe Windows.Stora...   \n",
                            "4                     C:\\windows\\system32\\tzsync.exe   \n",
                            "5                   C:\\windows\\system32\\lpremove.exe   \n",
                            "6                   C:\\windows\\system32\\lpremove.exe   \n",
                            "7  \"C:\\windows\\System32\\SLUI.exe\" RuleId=502ff3ba...   \n",
                            "8  \"C:\\windows\\System32\\SLUI.exe\" RuleId=379cccfb...   \n",
                            "\n",
                            "                                   ParentProcessName  TotalProcessCountOnHost  \\\n",
                            "0                    C:\\Windows\\System32\\svchost.exe                    12688   \n",
                            "1                    C:\\Windows\\System32\\svchost.exe                    12688   \n",
                            "2  C:\\Windows\\WinSxS\\amd64_microsoft-windows-serv...                    12688   \n",
                            "3                    C:\\Windows\\System32\\svchost.exe                    12688   \n",
                            "4                    C:\\Windows\\System32\\svchost.exe                    12688   \n",
                            "5                    C:\\Windows\\System32\\svchost.exe                    12688   \n",
                            "6                    C:\\Windows\\System32\\svchost.exe                    12688   \n",
                            "7               C:\\Windows\\System32\\SppExtComObj.Exe                    12688   \n",
                            "8               C:\\Windows\\System32\\SppExtComObj.Exe                    12688   \n",
                            "\n",
                            "   ProcessCountOnHost  DistinctComputersWithProcessCount  \\\n",
                            "0                   1                                  1   \n",
                            "1                   1                                  1   \n",
                            "2                   1                                  1   \n",
                            "3                   1                                  1   \n",
                            "4                   1                                  1   \n",
                            "5                   2                                  1   \n",
                            "6                   2                                  1   \n",
                            "7                   2                                  1   \n",
                            "8                   2                                  1   \n",
                            "\n",
                            "                         timestamp HostCustomEntity      AccountCustomEntity  \n",
                            "0 2020-11-21 21:18:51.317000+00:00     WinAttackSim  WORKGROUP\\WinAttackSim$  \n",
                            "1 2020-11-23 01:31:49.930000+00:00     WinAttackSim  WORKGROUP\\WinAttackSim$  \n",
                            "2 2020-11-20 17:18:36.960000+00:00     WinAttackSim  WORKGROUP\\WinAttackSim$  \n",
                            "3 2020-11-21 21:18:51.303000+00:00     WinAttackSim  WORKGROUP\\WinAttackSim$  \n",
                            "4 2020-11-21 21:18:51.310000+00:00     WinAttackSim  WORKGROUP\\WinAttackSim$  \n",
                            "5 2020-11-18 01:18:36.913000+00:00     WinAttackSim  WORKGROUP\\WinAttackSim$  \n",
                            "6 2020-11-21 03:18:49.223000+00:00     WinAttackSim  WORKGROUP\\WinAttackSim$  \n",
                            "7 2020-11-23 01:31:49.957000+00:00     WinAttackSim  WORKGROUP\\WinAttackSim$  \n",
                            "8 2020-11-23 01:31:54.340000+00:00     WinAttackSim  WORKGROUP\\WinAttackSim$  "
                        ]
                    },
                    "execution_count": 13,
                    "metadata": {},
                    "output_type": "execute_result"
                }
            ],
            "source": [
                "from msticpy.data.data_providers import QueryProvider\n",
                "from msticpy.common.wsconfig import WorkspaceConfig\n",
                "qry_prov = QueryProvider('LogAnalytics')\n",
                "wkspace = WorkspaceConfig()\n",
                "qry_prov.connect(wkspace.code_connect_str)\n",
                "qry_prov.exec_query(queries['properties.Query'].iloc[2])"
            ]
        },
        {
            "cell_type": "markdown",
            "metadata": {},
            "source": [
                "We can also get a list of configured alert rules:"
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 14,
            "metadata": {
                "ExecuteTime": {
                    "end_time": "2020-10-28T00:50:07.155005Z",
                    "start_time": "2020-10-28T00:50:06.191005Z"
                }
            },
            "outputs": [
                {
                    "data": {
                        "text/html": [
                            "<div>\n",
                            "<style scoped>\n",
                            "    .dataframe tbody tr th:only-of-type {\n",
                            "        vertical-align: middle;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe tbody tr th {\n",
                            "        vertical-align: top;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe thead th {\n",
                            "        text-align: right;\n",
                            "    }\n",
                            "</style>\n",
                            "<table border=\"1\" class=\"dataframe\">\n",
                            "  <thead>\n",
                            "    <tr style=\"text-align: right;\">\n",
                            "      <th></th>\n",
                            "      <th>type</th>\n",
                            "      <th>kind</th>\n",
                            "      <th>properties.severity</th>\n",
                            "      <th>properties.query</th>\n",
                            "      <th>properties.queryFrequency</th>\n",
                            "      <th>properties.queryPeriod</th>\n",
                            "      <th>properties.triggerOperator</th>\n",
                            "      <th>properties.triggerThreshold</th>\n",
                            "      <th>properties.suppressionDuration</th>\n",
                            "      <th>properties.suppressionEnabled</th>\n",
                            "      <th>...</th>\n",
                            "      <th>properties.description</th>\n",
                            "      <th>properties.tactics</th>\n",
                            "      <th>properties.alertRuleTemplateName</th>\n",
                            "      <th>properties.lastModifiedUtc</th>\n",
                            "      <th>properties.customFields.Filename</th>\n",
                            "      <th>properties.customFields.Reason</th>\n",
                            "      <th>properties.productFilter</th>\n",
                            "      <th>properties.severitiesFilter</th>\n",
                            "      <th>properties.displayNamesFilter</th>\n",
                            "      <th>properties.displayNamesExcludeFilter</th>\n",
                            "    </tr>\n",
                            "  </thead>\n",
                            "  <tbody>\n",
                            "    <tr>\n",
                            "      <th>0</th>\n",
                            "      <td>Microsoft.SecurityInsights/alertRules</td>\n",
                            "      <td>Scheduled</td>\n",
                            "      <td>Medium</td>\n",
                            "      <td>let failureCountThreshold = 5;\\nlet successCou...</td>\n",
                            "      <td>P1D</td>\n",
                            "      <td>P1D</td>\n",
                            "      <td>GreaterThan</td>\n",
                            "      <td>0.0</td>\n",
                            "      <td>PT5H</td>\n",
                            "      <td>False</td>\n",
                            "      <td>...</td>\n",
                            "      <td>Identifies evidence of brute force activity ag...</td>\n",
                            "      <td>[CredentialAccess]</td>\n",
                            "      <td>28b42356-45af-40a6-a0b4-a554cdfd5d8a</td>\n",
                            "      <td>2020-11-17T08:15:49.636781Z</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>1</th>\n",
                            "      <td>Microsoft.SecurityInsights/alertRules</td>\n",
                            "      <td>Scheduled</td>\n",
                            "      <td>Medium</td>\n",
                            "      <td>let timeframe = 1d;\\n//Set a threshold of fail...</td>\n",
                            "      <td>P1D</td>\n",
                            "      <td>P1D</td>\n",
                            "      <td>GreaterThan</td>\n",
                            "      <td>0.0</td>\n",
                            "      <td>PT5H</td>\n",
                            "      <td>False</td>\n",
                            "      <td>...</td>\n",
                            "      <td>This query creates a list of IP addresses with...</td>\n",
                            "      <td>[InitialAccess, CredentialAccess]</td>\n",
                            "      <td>ba144bf8-75b8-406f-9420-ed74397f9479</td>\n",
                            "      <td>2020-11-11T05:16:14.5036485Z</td>\n",
                            "      <td>FileName</td>\n",
                            "      <td>Reason</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>2</th>\n",
                            "      <td>Microsoft.SecurityInsights/alertRules</td>\n",
                            "      <td>Scheduled</td>\n",
                            "      <td>Medium</td>\n",
                            "      <td>let timeframe = 1d;\\nSecurityEvent\\n| where Ti...</td>\n",
                            "      <td>P1D</td>\n",
                            "      <td>P1D</td>\n",
                            "      <td>GreaterThan</td>\n",
                            "      <td>0.0</td>\n",
                            "      <td>PT5H</td>\n",
                            "      <td>False</td>\n",
                            "      <td>...</td>\n",
                            "      <td>Checks for event id 1102 which indicates the s...</td>\n",
                            "      <td>[DefenseEvasion]</td>\n",
                            "      <td>80da0a8f-cfe1-4cd0-a895-8bc1771a720e</td>\n",
                            "      <td>2020-11-11T01:46:53.4905768Z</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>3</th>\n",
                            "      <td>Microsoft.SecurityInsights/alertRules</td>\n",
                            "      <td>Scheduled</td>\n",
                            "      <td>Medium</td>\n",
                            "      <td>AzureActivity\\n| take 1\\n| extend IPCustomEnti...</td>\n",
                            "      <td>P1D</td>\n",
                            "      <td>P14D</td>\n",
                            "      <td>GreaterThan</td>\n",
                            "      <td>0.0</td>\n",
                            "      <td>PT5H</td>\n",
                            "      <td>False</td>\n",
                            "      <td>...</td>\n",
                            "      <td>This analytic matches Azure Activity logs to k...</td>\n",
                            "      <td>[Impact]</td>\n",
                            "      <td>None</td>\n",
                            "      <td>2020-11-04T22:43:33.9845152Z</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>4</th>\n",
                            "      <td>Microsoft.SecurityInsights/alertRules</td>\n",
                            "      <td>Scheduled</td>\n",
                            "      <td>Medium</td>\n",
                            "      <td>let timeframe = 1d;\\nSecurityEvent\\n| where Ti...</td>\n",
                            "      <td>P1D</td>\n",
                            "      <td>P1D</td>\n",
                            "      <td>GreaterThan</td>\n",
                            "      <td>0.0</td>\n",
                            "      <td>PT5H</td>\n",
                            "      <td>False</td>\n",
                            "      <td>...</td>\n",
                            "      <td>Checks for event id 1102 which indicates the s...</td>\n",
                            "      <td>[DefenseEvasion]</td>\n",
                            "      <td>80da0a8f-cfe1-4cd0-a895-8bc1771a720e</td>\n",
                            "      <td>2020-11-11T07:19:24.7658031Z</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "  </tbody>\n",
                            "</table>\n",
                            "<p>5 rows × 29 columns</p>\n",
                            "</div>"
                        ],
                        "text/plain": [
                            "                                    type       kind properties.severity  \\\n",
                            "0  Microsoft.SecurityInsights/alertRules  Scheduled              Medium   \n",
                            "1  Microsoft.SecurityInsights/alertRules  Scheduled              Medium   \n",
                            "2  Microsoft.SecurityInsights/alertRules  Scheduled              Medium   \n",
                            "3  Microsoft.SecurityInsights/alertRules  Scheduled              Medium   \n",
                            "4  Microsoft.SecurityInsights/alertRules  Scheduled              Medium   \n",
                            "\n",
                            "                                    properties.query  \\\n",
                            "0  let failureCountThreshold = 5;\\nlet successCou...   \n",
                            "1  let timeframe = 1d;\\n//Set a threshold of fail...   \n",
                            "2  let timeframe = 1d;\\nSecurityEvent\\n| where Ti...   \n",
                            "3  AzureActivity\\n| take 1\\n| extend IPCustomEnti...   \n",
                            "4  let timeframe = 1d;\\nSecurityEvent\\n| where Ti...   \n",
                            "\n",
                            "  properties.queryFrequency properties.queryPeriod properties.triggerOperator  \\\n",
                            "0                       P1D                    P1D                GreaterThan   \n",
                            "1                       P1D                    P1D                GreaterThan   \n",
                            "2                       P1D                    P1D                GreaterThan   \n",
                            "3                       P1D                   P14D                GreaterThan   \n",
                            "4                       P1D                    P1D                GreaterThan   \n",
                            "\n",
                            "   properties.triggerThreshold properties.suppressionDuration  \\\n",
                            "0                          0.0                           PT5H   \n",
                            "1                          0.0                           PT5H   \n",
                            "2                          0.0                           PT5H   \n",
                            "3                          0.0                           PT5H   \n",
                            "4                          0.0                           PT5H   \n",
                            "\n",
                            "  properties.suppressionEnabled  ...  \\\n",
                            "0                         False  ...   \n",
                            "1                         False  ...   \n",
                            "2                         False  ...   \n",
                            "3                         False  ...   \n",
                            "4                         False  ...   \n",
                            "\n",
                            "                              properties.description  \\\n",
                            "0  Identifies evidence of brute force activity ag...   \n",
                            "1  This query creates a list of IP addresses with...   \n",
                            "2  Checks for event id 1102 which indicates the s...   \n",
                            "3  This analytic matches Azure Activity logs to k...   \n",
                            "4  Checks for event id 1102 which indicates the s...   \n",
                            "\n",
                            "                  properties.tactics      properties.alertRuleTemplateName  \\\n",
                            "0                 [CredentialAccess]  28b42356-45af-40a6-a0b4-a554cdfd5d8a   \n",
                            "1  [InitialAccess, CredentialAccess]  ba144bf8-75b8-406f-9420-ed74397f9479   \n",
                            "2                   [DefenseEvasion]  80da0a8f-cfe1-4cd0-a895-8bc1771a720e   \n",
                            "3                           [Impact]                                  None   \n",
                            "4                   [DefenseEvasion]  80da0a8f-cfe1-4cd0-a895-8bc1771a720e   \n",
                            "\n",
                            "     properties.lastModifiedUtc properties.customFields.Filename  \\\n",
                            "0   2020-11-17T08:15:49.636781Z                              NaN   \n",
                            "1  2020-11-11T05:16:14.5036485Z                         FileName   \n",
                            "2  2020-11-11T01:46:53.4905768Z                              NaN   \n",
                            "3  2020-11-04T22:43:33.9845152Z                              NaN   \n",
                            "4  2020-11-11T07:19:24.7658031Z                              NaN   \n",
                            "\n",
                            "  properties.customFields.Reason properties.productFilter  \\\n",
                            "0                            NaN                      NaN   \n",
                            "1                         Reason                      NaN   \n",
                            "2                            NaN                      NaN   \n",
                            "3                            NaN                      NaN   \n",
                            "4                            NaN                      NaN   \n",
                            "\n",
                            "  properties.severitiesFilter  properties.displayNamesFilter  \\\n",
                            "0                         NaN                            NaN   \n",
                            "1                         NaN                            NaN   \n",
                            "2                         NaN                            NaN   \n",
                            "3                         NaN                            NaN   \n",
                            "4                         NaN                            NaN   \n",
                            "\n",
                            "  properties.displayNamesExcludeFilter  \n",
                            "0                                  NaN  \n",
                            "1                                  NaN  \n",
                            "2                                  NaN  \n",
                            "3                                  NaN  \n",
                            "4                                  NaN  \n",
                            "\n",
                            "[5 rows x 29 columns]"
                        ]
                    },
                    "execution_count": 14,
                    "metadata": {},
                    "output_type": "execute_result"
                }
            ],
            "source": [
                "alert_rules = azs.get_alert_rules(ws.value)\n",
                "alert_rules.head().drop(columns=[\"id\", \"etag\", \"name\"])"
            ]
        },
        {
            "cell_type": "markdown",
            "metadata": {},
            "source": [
                "We can also get a list of saved bookmarks. To see the events these bookmarks relate to you can pass the query value to a QueryProvider."
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 15,
            "metadata": {
                "ExecuteTime": {
                    "end_time": "2020-10-28T00:50:17.332381Z",
                    "start_time": "2020-10-28T00:50:14.780804Z"
                }
            },
            "outputs": [
                {
                    "data": {
                        "text/html": [
                            "<div>\n",
                            "<style scoped>\n",
                            "    .dataframe tbody tr th:only-of-type {\n",
                            "        vertical-align: middle;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe tbody tr th {\n",
                            "        vertical-align: top;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe thead th {\n",
                            "        text-align: right;\n",
                            "    }\n",
                            "</style>\n",
                            "<table border=\"1\" class=\"dataframe\">\n",
                            "  <thead>\n",
                            "    <tr style=\"text-align: right;\">\n",
                            "      <th></th>\n",
                            "      <th>type</th>\n",
                            "      <th>properties.displayName</th>\n",
                            "      <th>properties.created</th>\n",
                            "      <th>properties.updated</th>\n",
                            "      <th>properties.createdBy.objectId</th>\n",
                            "      <th>properties.createdBy.email</th>\n",
                            "      <th>properties.createdBy.name</th>\n",
                            "      <th>properties.updatedBy.objectId</th>\n",
                            "      <th>properties.updatedBy.email</th>\n",
                            "      <th>properties.updatedBy.name</th>\n",
                            "      <th>...</th>\n",
                            "      <th>properties.labels</th>\n",
                            "      <th>properties.query</th>\n",
                            "      <th>properties.queryResult</th>\n",
                            "      <th>properties.queryStartTime</th>\n",
                            "      <th>properties.queryEndTime</th>\n",
                            "      <th>properties.incidentInfo.incidentId</th>\n",
                            "      <th>properties.incidentInfo.title</th>\n",
                            "      <th>properties.incidentInfo.relationName</th>\n",
                            "      <th>properties.incidentInfo.severity</th>\n",
                            "      <th>properties.notes</th>\n",
                            "    </tr>\n",
                            "  </thead>\n",
                            "  <tbody>\n",
                            "    <tr>\n",
                            "      <th>0</th>\n",
                            "      <td>Microsoft.SecurityInsights/Bookmarks</td>\n",
                            "      <td>mercury IP</td>\n",
                            "      <td>2020-11-18T09:26:54.1605891+00:00</td>\n",
                            "      <td>2020-11-18T09:26:54.1605891+00:00</td>\n",
                            "      <td>e0139aae-7811-40ca-abc6-3fcb79140a6b</td>\n",
                            "      <td>Tim.Burrell@microsoft.com</td>\n",
                            "      <td>Tim Burrell (MSTIC)</td>\n",
                            "      <td>e0139aae-7811-40ca-abc6-3fcb79140a6b</td>\n",
                            "      <td>Tim.Burrell@microsoft.com</td>\n",
                            "      <td>Tim Burrell (MSTIC)</td>\n",
                            "      <td>...</td>\n",
                            "      <td>[]</td>\n",
                            "      <td>print \"192.168.15.6\" \\n</td>\n",
                            "      <td>{\"print_0\":\"192.168.15.6\",\"__entityMapping\":{\"...</td>\n",
                            "      <td>2020-11-17T09:26:33.557+00:00</td>\n",
                            "      <td>2020-11-18T09:26:33.557+00:00</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>1</th>\n",
                            "      <td>Microsoft.SecurityInsights/Bookmarks</td>\n",
                            "      <td>test 1</td>\n",
                            "      <td>2020-11-18T15:25:01.1843361+00:00</td>\n",
                            "      <td>2020-11-18T15:25:01.1843361+00:00</td>\n",
                            "      <td>b3a76793-1a0d-4bfe-95f6-96919d4b9acf</td>\n",
                            "      <td>bnick@microsoft.com</td>\n",
                            "      <td>Ben Nick</td>\n",
                            "      <td>b3a76793-1a0d-4bfe-95f6-96919d4b9acf</td>\n",
                            "      <td>bnick@microsoft.com</td>\n",
                            "      <td>Ben Nick</td>\n",
                            "      <td>...</td>\n",
                            "      <td>[fluffyDogCampaign]</td>\n",
                            "      <td>let auditLookback = 14d;\\n// Setting threshold...</td>\n",
                            "      <td>{\"InitiatedBy\":\"seb@seccxp.ninja\",\"IpAddress\":...</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>this looks suspicious</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>2</th>\n",
                            "      <td>Microsoft.SecurityInsights/Bookmarks</td>\n",
                            "      <td>failed logons - decb171c8160 (1)</td>\n",
                            "      <td>2020-11-19T11:26:31.3053573+00:00</td>\n",
                            "      <td>2020-11-19T11:26:31.3053573+00:00</td>\n",
                            "      <td>518a3ca6-44f0-4ac7-8179-97d18e48d65c</td>\n",
                            "      <td>pascals@microsoft.com</td>\n",
                            "      <td>Pascal Sauliere</td>\n",
                            "      <td>518a3ca6-44f0-4ac7-8179-97d18e48d65c</td>\n",
                            "      <td>pascals@microsoft.com</td>\n",
                            "      <td>Pascal Sauliere</td>\n",
                            "      <td>...</td>\n",
                            "      <td>[]</td>\n",
                            "      <td>// Event: An account failed to log on\\nSecurit...</td>\n",
                            "      <td>{\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f...</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>3</th>\n",
                            "      <td>Microsoft.SecurityInsights/Bookmarks</td>\n",
                            "      <td>Rare Audit activity initiated by App - cbade9...</td>\n",
                            "      <td>2020-11-11T18:39:16.6537628+00:00</td>\n",
                            "      <td>2020-11-11T18:39:16.6537628+00:00</td>\n",
                            "      <td>f6b78447-93dc-4041-a22a-6eb1c34265e2</td>\n",
                            "      <td>Umesh.Nagdev@microsoft.com</td>\n",
                            "      <td>Umesh Nagdev</td>\n",
                            "      <td>f6b78447-93dc-4041-a22a-6eb1c34265e2</td>\n",
                            "      <td>Umesh.Nagdev@microsoft.com</td>\n",
                            "      <td>Umesh Nagdev</td>\n",
                            "      <td>...</td>\n",
                            "      <td>[]</td>\n",
                            "      <td>let current = 1d;\\nlet auditLookback = 14d;\\nl...</td>\n",
                            "      <td>{\"InitiatedByApp\":\"Microsoft Azure AD Group-Ba...</td>\n",
                            "      <td>2020-11-10T18:39:01.061+00:00</td>\n",
                            "      <td>2020-11-11T18:39:01.061+00:00</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>4</th>\n",
                            "      <td>Microsoft.SecurityInsights/Bookmarks</td>\n",
                            "      <td>ThreatIntelligenceIndicator - 4193cb45b90a (2)</td>\n",
                            "      <td>2020-11-11T16:08:45.6964987+00:00</td>\n",
                            "      <td>2020-11-11T16:08:45.6964987+00:00</td>\n",
                            "      <td>525c09b5-61ef-4e10-8150-b44c97ead3a1</td>\n",
                            "      <td>Andrew.Blumhardt@microsoft.com</td>\n",
                            "      <td>Andrew Blumhardt</td>\n",
                            "      <td>525c09b5-61ef-4e10-8150-b44c97ead3a1</td>\n",
                            "      <td>Andrew.Blumhardt@microsoft.com</td>\n",
                            "      <td>Andrew Blumhardt</td>\n",
                            "      <td>...</td>\n",
                            "      <td>[]</td>\n",
                            "      <td>ThreatIntelligenceIndicator</td>\n",
                            "      <td>{\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f...</td>\n",
                            "      <td>2020-11-10T16:08:26.089+00:00</td>\n",
                            "      <td>2020-11-11T16:08:26.089+00:00</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>My Bookmark</td>\n",
                            "    </tr>\n",
                            "  </tbody>\n",
                            "</table>\n",
                            "<p>5 rows × 21 columns</p>\n",
                            "</div>"
                        ],
                        "text/plain": [
                            "                                   type  \\\n",
                            "0  Microsoft.SecurityInsights/Bookmarks   \n",
                            "1  Microsoft.SecurityInsights/Bookmarks   \n",
                            "2  Microsoft.SecurityInsights/Bookmarks   \n",
                            "3  Microsoft.SecurityInsights/Bookmarks   \n",
                            "4  Microsoft.SecurityInsights/Bookmarks   \n",
                            "\n",
                            "                              properties.displayName  \\\n",
                            "0                                         mercury IP   \n",
                            "1                                             test 1   \n",
                            "2                   failed logons - decb171c8160 (1)   \n",
                            "3   Rare Audit activity initiated by App - cbade9...   \n",
                            "4     ThreatIntelligenceIndicator - 4193cb45b90a (2)   \n",
                            "\n",
                            "                  properties.created                 properties.updated  \\\n",
                            "0  2020-11-18T09:26:54.1605891+00:00  2020-11-18T09:26:54.1605891+00:00   \n",
                            "1  2020-11-18T15:25:01.1843361+00:00  2020-11-18T15:25:01.1843361+00:00   \n",
                            "2  2020-11-19T11:26:31.3053573+00:00  2020-11-19T11:26:31.3053573+00:00   \n",
                            "3  2020-11-11T18:39:16.6537628+00:00  2020-11-11T18:39:16.6537628+00:00   \n",
                            "4  2020-11-11T16:08:45.6964987+00:00  2020-11-11T16:08:45.6964987+00:00   \n",
                            "\n",
                            "          properties.createdBy.objectId      properties.createdBy.email  \\\n",
                            "0  e0139aae-7811-40ca-abc6-3fcb79140a6b       Tim.Burrell@microsoft.com   \n",
                            "1  b3a76793-1a0d-4bfe-95f6-96919d4b9acf             bnick@microsoft.com   \n",
                            "2  518a3ca6-44f0-4ac7-8179-97d18e48d65c           pascals@microsoft.com   \n",
                            "3  f6b78447-93dc-4041-a22a-6eb1c34265e2      Umesh.Nagdev@microsoft.com   \n",
                            "4  525c09b5-61ef-4e10-8150-b44c97ead3a1  Andrew.Blumhardt@microsoft.com   \n",
                            "\n",
                            "  properties.createdBy.name         properties.updatedBy.objectId  \\\n",
                            "0       Tim Burrell (MSTIC)  e0139aae-7811-40ca-abc6-3fcb79140a6b   \n",
                            "1                  Ben Nick  b3a76793-1a0d-4bfe-95f6-96919d4b9acf   \n",
                            "2           Pascal Sauliere  518a3ca6-44f0-4ac7-8179-97d18e48d65c   \n",
                            "3              Umesh Nagdev  f6b78447-93dc-4041-a22a-6eb1c34265e2   \n",
                            "4          Andrew Blumhardt  525c09b5-61ef-4e10-8150-b44c97ead3a1   \n",
                            "\n",
                            "       properties.updatedBy.email properties.updatedBy.name  ...  \\\n",
                            "0       Tim.Burrell@microsoft.com       Tim Burrell (MSTIC)  ...   \n",
                            "1             bnick@microsoft.com                  Ben Nick  ...   \n",
                            "2           pascals@microsoft.com           Pascal Sauliere  ...   \n",
                            "3      Umesh.Nagdev@microsoft.com              Umesh Nagdev  ...   \n",
                            "4  Andrew.Blumhardt@microsoft.com          Andrew Blumhardt  ...   \n",
                            "\n",
                            "     properties.labels                                   properties.query  \\\n",
                            "0                   []                            print \"192.168.15.6\" \\n   \n",
                            "1  [fluffyDogCampaign]  let auditLookback = 14d;\\n// Setting threshold...   \n",
                            "2                   []  // Event: An account failed to log on\\nSecurit...   \n",
                            "3                   []  let current = 1d;\\nlet auditLookback = 14d;\\nl...   \n",
                            "4                   []                        ThreatIntelligenceIndicator   \n",
                            "\n",
                            "                              properties.queryResult  \\\n",
                            "0  {\"print_0\":\"192.168.15.6\",\"__entityMapping\":{\"...   \n",
                            "1  {\"InitiatedBy\":\"seb@seccxp.ninja\",\"IpAddress\":...   \n",
                            "2  {\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f...   \n",
                            "3  {\"InitiatedByApp\":\"Microsoft Azure AD Group-Ba...   \n",
                            "4  {\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f...   \n",
                            "\n",
                            "       properties.queryStartTime        properties.queryEndTime  \\\n",
                            "0  2020-11-17T09:26:33.557+00:00  2020-11-18T09:26:33.557+00:00   \n",
                            "1                            NaN                            NaN   \n",
                            "2                            NaN                            NaN   \n",
                            "3  2020-11-10T18:39:01.061+00:00  2020-11-11T18:39:01.061+00:00   \n",
                            "4  2020-11-10T16:08:26.089+00:00  2020-11-11T16:08:26.089+00:00   \n",
                            "\n",
                            "  properties.incidentInfo.incidentId properties.incidentInfo.title  \\\n",
                            "0                               None                          None   \n",
                            "1                               None                          None   \n",
                            "2                               None                          None   \n",
                            "3                               None                          None   \n",
                            "4                               None                          None   \n",
                            "\n",
                            "  properties.incidentInfo.relationName properties.incidentInfo.severity  \\\n",
                            "0                                 None                             None   \n",
                            "1                                 None                             None   \n",
                            "2                                 None                             None   \n",
                            "3                                 None                             None   \n",
                            "4                                 None                             None   \n",
                            "\n",
                            "        properties.notes  \n",
                            "0                    NaN  \n",
                            "1  this looks suspicious  \n",
                            "2                    NaN  \n",
                            "3                    NaN  \n",
                            "4            My Bookmark  \n",
                            "\n",
                            "[5 rows x 21 columns]"
                        ]
                    },
                    "execution_count": 15,
                    "metadata": {},
                    "output_type": "execute_result"
                }
            ],
            "source": [
                "bkmarks = azs.get_bookmarks(ws.value)\n",
                "bkmarks.head().drop(columns=[\"id\", \"etag\", \"name\"])"
            ]
        },
        {
            "cell_type": "markdown",
            "metadata": {},
            "source": [
                "We can also interact with Incidents via the API to get a set of all incidents, or a single incident:"
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 16,
            "metadata": {},
            "outputs": [
                {
                    "data": {
                        "text/html": [
                            "<div>\n",
                            "<style scoped>\n",
                            "    .dataframe tbody tr th:only-of-type {\n",
                            "        vertical-align: middle;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe tbody tr th {\n",
                            "        vertical-align: top;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe thead th {\n",
                            "        text-align: right;\n",
                            "    }\n",
                            "</style>\n",
                            "<table border=\"1\" class=\"dataframe\">\n",
                            "  <thead>\n",
                            "    <tr style=\"text-align: right;\">\n",
                            "      <th></th>\n",
                            "      <th>id</th>\n",
                            "      <th>name</th>\n",
                            "      <th>etag</th>\n",
                            "      <th>type</th>\n",
                            "      <th>properties.title</th>\n",
                            "      <th>properties.severity</th>\n",
                            "      <th>properties.status</th>\n",
                            "      <th>properties.owner.objectId</th>\n",
                            "      <th>properties.owner.email</th>\n",
                            "      <th>properties.owner.assignedTo</th>\n",
                            "      <th>...</th>\n",
                            "      <th>properties.additionalData.commentsCount</th>\n",
                            "      <th>properties.additionalData.alertProductNames</th>\n",
                            "      <th>properties.additionalData.tactics</th>\n",
                            "      <th>properties.firstActivityTimeGenerated</th>\n",
                            "      <th>properties.lastActivityTimeGenerated</th>\n",
                            "      <th>properties.relatedAnalyticRuleIds</th>\n",
                            "      <th>properties.incidentUrl</th>\n",
                            "      <th>properties.description</th>\n",
                            "      <th>properties.firstActivityTimeUtc</th>\n",
                            "      <th>properties.lastActivityTimeUtc</th>\n",
                            "    </tr>\n",
                            "  </thead>\n",
                            "  <tbody>\n",
                            "    <tr>\n",
                            "      <th>0</th>\n",
                            "      <td>/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...</td>\n",
                            "      <td>aabf6bcd-4134-b07b-1152-040aa0cdf069</td>\n",
                            "      <td>\"0402f99f-0000-0100-0000-5fbd43d50000\"</td>\n",
                            "      <td>Microsoft.SecurityInsights/Incidents</td>\n",
                            "      <td>Time series anomaly detection for total volume...</td>\n",
                            "      <td>High</td>\n",
                            "      <td>New</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>...</td>\n",
                            "      <td>2</td>\n",
                            "      <td>[Azure Sentinel]</td>\n",
                            "      <td>[Exfiltration]</td>\n",
                            "      <td>2020-11-24T17:10:35.7652885Z</td>\n",
                            "      <td>2020-11-24T17:10:35.7652885Z</td>\n",
                            "      <td>[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...</td>\n",
                            "      <td>https://portal.azure.com/#asset/Microsoft_Azur...</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "      <td>NaN</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>1</th>\n",
                            "      <td>/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...</td>\n",
                            "      <td>e917efd0-331d-48b7-81d7-6205cee787f5</td>\n",
                            "      <td>\"0302de84-0000-0100-0000-5fbd23f30000\"</td>\n",
                            "      <td>Microsoft.SecurityInsights/Incidents</td>\n",
                            "      <td>XASE SENSITIVITY TEST</td>\n",
                            "      <td>Medium</td>\n",
                            "      <td>New</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>...</td>\n",
                            "      <td>0</td>\n",
                            "      <td>[Azure Sentinel]</td>\n",
                            "      <td>[]</td>\n",
                            "      <td>2020-11-24T15:17:06.8646498Z</td>\n",
                            "      <td>2020-11-24T15:17:06.8646498Z</td>\n",
                            "      <td>[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...</td>\n",
                            "      <td>https://portal.azure.com/#asset/Microsoft_Azur...</td>\n",
                            "      <td>LOWER CASE</td>\n",
                            "      <td>2020-11-24T14:55:03.95Z</td>\n",
                            "      <td>2020-11-24T14:55:03.95Z</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>2</th>\n",
                            "      <td>/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...</td>\n",
                            "      <td>81d59f6e-988f-4758-a2d2-90886befccab</td>\n",
                            "      <td>\"03029c83-0000-0100-0000-5fbd23d10000\"</td>\n",
                            "      <td>Microsoft.SecurityInsights/Incidents</td>\n",
                            "      <td>Case Sensitivity test UPPER</td>\n",
                            "      <td>Medium</td>\n",
                            "      <td>New</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>...</td>\n",
                            "      <td>0</td>\n",
                            "      <td>[Azure Sentinel]</td>\n",
                            "      <td>[]</td>\n",
                            "      <td>2020-11-24T15:16:33.5131821Z</td>\n",
                            "      <td>2020-11-24T15:16:33.5131821Z</td>\n",
                            "      <td>[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...</td>\n",
                            "      <td>https://portal.azure.com/#asset/Microsoft_Azur...</td>\n",
                            "      <td>sdff</td>\n",
                            "      <td>2020-11-24T14:57:49.43Z</td>\n",
                            "      <td>2020-11-24T14:57:49.43Z</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>3</th>\n",
                            "      <td>/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...</td>\n",
                            "      <td>b68151e7-890f-48aa-befb-3de2bc987557</td>\n",
                            "      <td>\"03022274-0000-0100-0000-5fbd222f0000\"</td>\n",
                            "      <td>Microsoft.SecurityInsights/Incidents</td>\n",
                            "      <td>Potential Password Spray</td>\n",
                            "      <td>Medium</td>\n",
                            "      <td>New</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>...</td>\n",
                            "      <td>0</td>\n",
                            "      <td>[Azure Sentinel]</td>\n",
                            "      <td>[Persistence]</td>\n",
                            "      <td>2020-11-24T15:09:35.0020779Z</td>\n",
                            "      <td>2020-11-24T15:09:35.0020779Z</td>\n",
                            "      <td>[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...</td>\n",
                            "      <td>https://portal.azure.com/#asset/Microsoft_Azur...</td>\n",
                            "      <td>Description with a link</td>\n",
                            "      <td>2020-11-24T10:04:32.5297051Z</td>\n",
                            "      <td>2020-11-24T15:04:32.5297051Z</td>\n",
                            "    </tr>\n",
                            "    <tr>\n",
                            "      <th>4</th>\n",
                            "      <td>/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...</td>\n",
                            "      <td>49f91f51-30ce-4028-9117-96ca3debbe14</td>\n",
                            "      <td>\"0302f05f-0000-0100-0000-5fbd204e0000\"</td>\n",
                            "      <td>Microsoft.SecurityInsights/Incidents</td>\n",
                            "      <td>Case Sensitivity test UPPER</td>\n",
                            "      <td>Medium</td>\n",
                            "      <td>New</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>...</td>\n",
                            "      <td>0</td>\n",
                            "      <td>[Azure Sentinel]</td>\n",
                            "      <td>[]</td>\n",
                            "      <td>2020-11-24T15:01:33.9949456Z</td>\n",
                            "      <td>2020-11-24T15:01:33.9949456Z</td>\n",
                            "      <td>[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...</td>\n",
                            "      <td>https://portal.azure.com/#asset/Microsoft_Azur...</td>\n",
                            "      <td>sdff</td>\n",
                            "      <td>2020-11-24T14:41:32.13Z</td>\n",
                            "      <td>2020-11-24T14:41:32.13Z</td>\n",
                            "    </tr>\n",
                            "  </tbody>\n",
                            "</table>\n",
                            "<p>5 rows × 27 columns</p>\n",
                            "</div>"
                        ],
                        "text/plain": [
                            "                                                  id  \\\n",
                            "0  /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...   \n",
                            "1  /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...   \n",
                            "2  /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...   \n",
                            "3  /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...   \n",
                            "4  /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...   \n",
                            "\n",
                            "                                   name  \\\n",
                            "0  aabf6bcd-4134-b07b-1152-040aa0cdf069   \n",
                            "1  e917efd0-331d-48b7-81d7-6205cee787f5   \n",
                            "2  81d59f6e-988f-4758-a2d2-90886befccab   \n",
                            "3  b68151e7-890f-48aa-befb-3de2bc987557   \n",
                            "4  49f91f51-30ce-4028-9117-96ca3debbe14   \n",
                            "\n",
                            "                                     etag  \\\n",
                            "0  \"0402f99f-0000-0100-0000-5fbd43d50000\"   \n",
                            "1  \"0302de84-0000-0100-0000-5fbd23f30000\"   \n",
                            "2  \"03029c83-0000-0100-0000-5fbd23d10000\"   \n",
                            "3  \"03022274-0000-0100-0000-5fbd222f0000\"   \n",
                            "4  \"0302f05f-0000-0100-0000-5fbd204e0000\"   \n",
                            "\n",
                            "                                   type  \\\n",
                            "0  Microsoft.SecurityInsights/Incidents   \n",
                            "1  Microsoft.SecurityInsights/Incidents   \n",
                            "2  Microsoft.SecurityInsights/Incidents   \n",
                            "3  Microsoft.SecurityInsights/Incidents   \n",
                            "4  Microsoft.SecurityInsights/Incidents   \n",
                            "\n",
                            "                                    properties.title properties.severity  \\\n",
                            "0  Time series anomaly detection for total volume...                High   \n",
                            "1                              XASE SENSITIVITY TEST              Medium   \n",
                            "2                        Case Sensitivity test UPPER              Medium   \n",
                            "3                           Potential Password Spray              Medium   \n",
                            "4                        Case Sensitivity test UPPER              Medium   \n",
                            "\n",
                            "  properties.status properties.owner.objectId properties.owner.email  \\\n",
                            "0               New                      None                   None   \n",
                            "1               New                      None                   None   \n",
                            "2               New                      None                   None   \n",
                            "3               New                      None                   None   \n",
                            "4               New                      None                   None   \n",
                            "\n",
                            "  properties.owner.assignedTo  ... properties.additionalData.commentsCount  \\\n",
                            "0                        None  ...                                       2   \n",
                            "1                        None  ...                                       0   \n",
                            "2                        None  ...                                       0   \n",
                            "3                        None  ...                                       0   \n",
                            "4                        None  ...                                       0   \n",
                            "\n",
                            "  properties.additionalData.alertProductNames  \\\n",
                            "0                            [Azure Sentinel]   \n",
                            "1                            [Azure Sentinel]   \n",
                            "2                            [Azure Sentinel]   \n",
                            "3                            [Azure Sentinel]   \n",
                            "4                            [Azure Sentinel]   \n",
                            "\n",
                            "  properties.additionalData.tactics properties.firstActivityTimeGenerated  \\\n",
                            "0                    [Exfiltration]          2020-11-24T17:10:35.7652885Z   \n",
                            "1                                []          2020-11-24T15:17:06.8646498Z   \n",
                            "2                                []          2020-11-24T15:16:33.5131821Z   \n",
                            "3                     [Persistence]          2020-11-24T15:09:35.0020779Z   \n",
                            "4                                []          2020-11-24T15:01:33.9949456Z   \n",
                            "\n",
                            "   properties.lastActivityTimeGenerated  \\\n",
                            "0          2020-11-24T17:10:35.7652885Z   \n",
                            "1          2020-11-24T15:17:06.8646498Z   \n",
                            "2          2020-11-24T15:16:33.5131821Z   \n",
                            "3          2020-11-24T15:09:35.0020779Z   \n",
                            "4          2020-11-24T15:01:33.9949456Z   \n",
                            "\n",
                            "                   properties.relatedAnalyticRuleIds  \\\n",
                            "0  [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...   \n",
                            "1  [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...   \n",
                            "2  [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...   \n",
                            "3  [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...   \n",
                            "4  [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...   \n",
                            "\n",
                            "                              properties.incidentUrl   properties.description  \\\n",
                            "0  https://portal.azure.com/#asset/Microsoft_Azur...                      NaN   \n",
                            "1  https://portal.azure.com/#asset/Microsoft_Azur...               LOWER CASE   \n",
                            "2  https://portal.azure.com/#asset/Microsoft_Azur...                     sdff   \n",
                            "3  https://portal.azure.com/#asset/Microsoft_Azur...  Description with a link   \n",
                            "4  https://portal.azure.com/#asset/Microsoft_Azur...                     sdff   \n",
                            "\n",
                            "  properties.firstActivityTimeUtc properties.lastActivityTimeUtc  \n",
                            "0                             NaN                            NaN  \n",
                            "1         2020-11-24T14:55:03.95Z        2020-11-24T14:55:03.95Z  \n",
                            "2         2020-11-24T14:57:49.43Z        2020-11-24T14:57:49.43Z  \n",
                            "3    2020-11-24T10:04:32.5297051Z   2020-11-24T15:04:32.5297051Z  \n",
                            "4         2020-11-24T14:41:32.13Z        2020-11-24T14:41:32.13Z  \n",
                            "\n",
                            "[5 rows x 27 columns]"
                        ]
                    },
                    "metadata": {},
                    "output_type": "display_data"
                }
            ],
            "source": [
                "incidents = azs.get_incidents(res_id=ws.value)\n",
                "display(incidents.head())"
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 17,
            "metadata": {},
            "outputs": [
                {
                    "data": {
                        "text/html": [
                            "<div>\n",
                            "<style scoped>\n",
                            "    .dataframe tbody tr th:only-of-type {\n",
                            "        vertical-align: middle;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe tbody tr th {\n",
                            "        vertical-align: top;\n",
                            "    }\n",
                            "\n",
                            "    .dataframe thead th {\n",
                            "        text-align: right;\n",
                            "    }\n",
                            "</style>\n",
                            "<table border=\"1\" class=\"dataframe\">\n",
                            "  <thead>\n",
                            "    <tr style=\"text-align: right;\">\n",
                            "      <th></th>\n",
                            "      <th>id</th>\n",
                            "      <th>name</th>\n",
                            "      <th>etag</th>\n",
                            "      <th>type</th>\n",
                            "      <th>properties.title</th>\n",
                            "      <th>properties.severity</th>\n",
                            "      <th>properties.status</th>\n",
                            "      <th>properties.owner.objectId</th>\n",
                            "      <th>properties.owner.email</th>\n",
                            "      <th>properties.owner.assignedTo</th>\n",
                            "      <th>...</th>\n",
                            "      <th>properties.incidentNumber</th>\n",
                            "      <th>properties.additionalData.alertsCount</th>\n",
                            "      <th>properties.additionalData.bookmarksCount</th>\n",
                            "      <th>properties.additionalData.commentsCount</th>\n",
                            "      <th>properties.additionalData.alertProductNames</th>\n",
                            "      <th>properties.additionalData.tactics</th>\n",
                            "      <th>properties.firstActivityTimeGenerated</th>\n",
                            "      <th>properties.lastActivityTimeGenerated</th>\n",
                            "      <th>properties.relatedAnalyticRuleIds</th>\n",
                            "      <th>properties.incidentUrl</th>\n",
                            "    </tr>\n",
                            "  </thead>\n",
                            "  <tbody>\n",
                            "    <tr>\n",
                            "      <th>0</th>\n",
                            "      <td>/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...</td>\n",
                            "      <td>aabf6bcd-4134-b07b-1152-040aa0cdf069</td>\n",
                            "      <td>\"0402f99f-0000-0100-0000-5fbd43d50000\"</td>\n",
                            "      <td>Microsoft.SecurityInsights/Incidents</td>\n",
                            "      <td>Time series anomaly detection for total volume...</td>\n",
                            "      <td>High</td>\n",
                            "      <td>New</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>None</td>\n",
                            "      <td>...</td>\n",
                            "      <td>4601</td>\n",
                            "      <td>1</td>\n",
                            "      <td>0</td>\n",
                            "      <td>2</td>\n",
                            "      <td>[Azure Sentinel]</td>\n",
                            "      <td>[Exfiltration]</td>\n",
                            "      <td>2020-11-24T17:10:35.7652885Z</td>\n",
                            "      <td>2020-11-24T17:10:35.7652885Z</td>\n",
                            "      <td>[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...</td>\n",
                            "      <td>https://portal.azure.com/#asset/Microsoft_Azur...</td>\n",
                            "    </tr>\n",
                            "  </tbody>\n",
                            "</table>\n",
                            "<p>1 rows × 24 columns</p>\n",
                            "</div>"
                        ],
                        "text/plain": [
                            "                                                  id  \\\n",
                            "0  /subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de...   \n",
                            "\n",
                            "                                   name  \\\n",
                            "0  aabf6bcd-4134-b07b-1152-040aa0cdf069   \n",
                            "\n",
                            "                                     etag  \\\n",
                            "0  \"0402f99f-0000-0100-0000-5fbd43d50000\"   \n",
                            "\n",
                            "                                   type  \\\n",
                            "0  Microsoft.SecurityInsights/Incidents   \n",
                            "\n",
                            "                                    properties.title properties.severity  \\\n",
                            "0  Time series anomaly detection for total volume...                High   \n",
                            "\n",
                            "  properties.status properties.owner.objectId properties.owner.email  \\\n",
                            "0               New                      None                   None   \n",
                            "\n",
                            "  properties.owner.assignedTo  ... properties.incidentNumber  \\\n",
                            "0                        None  ...                      4601   \n",
                            "\n",
                            "  properties.additionalData.alertsCount  \\\n",
                            "0                                     1   \n",
                            "\n",
                            "  properties.additionalData.bookmarksCount  \\\n",
                            "0                                        0   \n",
                            "\n",
                            "  properties.additionalData.commentsCount  \\\n",
                            "0                                       2   \n",
                            "\n",
                            "   properties.additionalData.alertProductNames  \\\n",
                            "0                             [Azure Sentinel]   \n",
                            "\n",
                            "   properties.additionalData.tactics  properties.firstActivityTimeGenerated  \\\n",
                            "0                     [Exfiltration]           2020-11-24T17:10:35.7652885Z   \n",
                            "\n",
                            "   properties.lastActivityTimeGenerated  \\\n",
                            "0          2020-11-24T17:10:35.7652885Z   \n",
                            "\n",
                            "                   properties.relatedAnalyticRuleIds  \\\n",
                            "0  [/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d...   \n",
                            "\n",
                            "                              properties.incidentUrl  \n",
                            "0  https://portal.azure.com/#asset/Microsoft_Azur...  \n",
                            "\n",
                            "[1 rows x 24 columns]"
                        ]
                    },
                    "metadata": {},
                    "output_type": "display_data"
                }
            ],
            "source": [
                "incident = azs.get_incident(incident_id = incidents.iloc[0]['name'] , res_id=ws.value)\n",
                "display(incident)"
            ]
        },
        {
            "cell_type": "markdown",
            "metadata": {},
            "source": [
                "You can also interact with an incident - adding comments or changing properties such as severity or status:"
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 18,
            "metadata": {},
            "outputs": [
                {
                    "name": "stdout",
                    "output_type": "stream",
                    "text": [
                        "Comment posted.\n"
                    ]
                }
            ],
            "source": [
                "azs.post_comment(incident_id = incident.iloc[0]['name'], comment=\"This is a test comment\", res_id=ws.value)"
            ]
        },
        {
            "cell_type": "code",
            "execution_count": 20,
            "metadata": {},
            "outputs": [
                {
                    "name": "stdout",
                    "output_type": "stream",
                    "text": [
                        "Incident updated.\n"
                    ]
                }
            ],
            "source": [
                "azs.update_incident(incident_id = incident.iloc[0]['name'], update_items={\"severity\":\"High\"}, res_id=ws.value)"
            ]
        },
        {
            "cell_type": "code",
            "execution_count": null,
            "metadata": {},
            "outputs": [],
            "source": []
        }
    ],
    "metadata": {
        "hide_input": false,
        "kernelspec": {
            "display_name": "Python 3",
            "language": "python",
            "name": "python3"
        },
        "language_info": {
            "codemirror_mode": {
                "name": "ipython",
                "version": 3
            },
            "file_extension": ".py",
            "mimetype": "text/x-python",
            "name": "python",
            "nbconvert_exporter": "python",
            "pygments_lexer": "ipython3",
            "version": "3.7.6"
        },
        "latex_envs": {
            "LaTeX_envs_menu_present": true,
            "autoclose": false,
            "autocomplete": true,
            "bibliofile": "biblio.bib",
            "cite_by": "apalike",
            "current_citInitial": 1,
            "eqLabelWithNumbers": true,
            "eqNumInitial": 1,
            "hotkeys": {
                "equation": "Ctrl-E",
                "itemize": "Ctrl-I"
            },
            "labels_anchors": false,
            "latex_user_defs": false,
            "report_style_numbering": false,
            "user_envs_cfg": false
        },
        "toc": {
            "base_numbering": 1,
            "nav_menu": {},
            "number_sections": false,
            "sideBar": true,
            "skip_h1_title": false,
            "title_cell": "Table of Contents",
            "title_sidebar": "Contents",
            "toc_cell": true,
            "toc_position": {},
            "toc_section_display": true,
            "toc_window_display": false
        },
        "varInspector": {
            "cols": {
                "lenName": 16,
                "lenType": 16,
                "lenVar": 40
            },
            "kernels_config": {
                "python": {
                    "delete_cmd_postfix": "",
                    "delete_cmd_prefix": "del ",
                    "library": "var_list.py",
                    "varRefreshCmd": "print(var_dic_list())"
                },
                "r": {
                    "delete_cmd_postfix": ") ",
                    "delete_cmd_prefix": "rm(",
                    "library": "var_list.r",
                    "varRefreshCmd": "cat(var_dic_list()) "
                }
            },
            "types_to_exclude": [
                "module",
                "function",
                "builtin_function_or_method",
                "instance",
                "_Feature"
            ],
            "window_display": false
        },
        "widgets": {
            "application/vnd.jupyter.widget-state+json": {
                "state": {},
                "version_major": 2,
                "version_minor": 0
            }
        }
    },
    "nbformat": 4,
    "nbformat_minor": 4
}
